Seeking Information regarding VoIP security Assessment

> Dear list,
>
> Can I have some resource materials for VoIP security and its  
> Assessment ??
>
> regards
> abhi
>
> ---
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ---
> ---------------------------------------------------------------------
>

> Dear list,
>
> Can I have some resource materials for VoIP security and its Assessment ??
>
> regards
> abhi
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>

> Abhishek Kumar wrote:
>> Dear list,
>>
>> Can I have some resource materials for VoIP security and its Assessment ??
>>
>> regards
>> abhi
>>
>> ------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>> ------------------------------------------------------------------------
>>
>>
> Voice is no different than data. If more people understood that, more
> people would see similar attack vectors and risk strategies. It's a
> consortium of protocols (SIP, H323, etc) that work similarly to many
> others (SMTP, HTTP) so the same attack methodologies apply. Sniffing,
> spoofing and so on. When you look at it in this fashion instead of some
> foreign point of view, one will see how easy it is. So here are some
> similar questions right back:
>
> "Can I have some resource materials for HTTP security and its assessment?"
> "Can I have some resource materials for SMTP security and its assessment?"
>
> Follow the same structure as you would for other protocols. Learn how it
> functions (username, password, server, ports), how data (DATA because
> voice streams are (*drum roll*) ... data) and go from there. Same core
> principles will still apply to VoIP. Is it sniffable? Yup. Does it
> entail using username password combos? Yup (almost 98+ percent of the
> time). Is it client server based? Yup. No different than any other
> protocol. Understand how it works from the ground up by reading RFC's or
> detailed "how does VoIP work?" and go from there.
>
> You can't expect any definitive "here you go!" response for this
> question without having a core understanding of how networking works for
> starters, along with good deductive reasoning skills, core understanding
> of client/server interactions, the OSI and its interaction with each
> other. The rest doesn't matter: "zomfg ... audio! video! But its
> voice!... VoIP!!!" ... No it's data once it hit the network. The rest is
> a matter of understanding the data that you're looking at and rebuilding
> and or re-engineering that data.
>
> http://www.packetizer.com/ipmc/papers/understanding_voip/voip_protocols.html
> http://www.tech-pro.net/voice-over-ip.html
> http://www.cs.columbia.edu/sip/
> http://www.voipsa.org/Resources/articles.php
> http://www.voipsa.org/Resources/tools.php
>
> --
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>

> Abhishek Kumar wrote:
>> Really very helpful suggestions and resources.
>>
>> Actually I have been given a task to write 2-3 page writeup on VoIP
>> Security and how we can do VoIP
>> security assessment.
>>
>> regards
>> abhi
>>
>
> Depends on what your goal(s) is/are. For example, snooping
> (eavesdropping) is accomplished by sniffing the wire and recompiling the
> audio (RTP or other protocol used
> http://www.ietf.org/rfc/rfc3550.txt?number=3550) which would affect
> confidentiality. With any kind of packet injection tool and knowledge of
> SIP (if SIP is targeted) you could do some interesting things. Because
> most VoIP equipment are using a client server set-up and almost ALL VoIP
> based phones have a web interface, they're DoSable, prone to the same
> attacks as any other HTTP server.
>
> Imagine the following: Using curl being able to reset variables. Not a
> big deal at first glimpse, however imagine this:
>
> Scenario1: You change your caller ID as that of an employee. Call IT and
> tell them "reset my X (voicemail, email, etc.) password" Because the IT
> guy wants to validate you he uses caller ID and does so.
> Scenario2: You change your caller ID as that of an employee. Call IT and
> tell them "reset my X (voicemail, email, etc.) password" Because the IT
> guy wants to validate you he refuses to use caller ID and tells you he
> will call you right back. At this point if you DoS'd the phone it
> wouldn't receive calls hence them going into voicemail. In comes perl,
> curl or whatever packet builder you prefer... Perform a POST to the
> phone or server, depending on your craftiness and time, reset the
> voicemail PIN. Go into the user's voicemail, instant pentesting
> gratification.
>
> There are plenty of ways to abuse VoIP - the facts are facts though -
> it's just data. From a sniffing/PITA perspective, you could snoop calls,
> splice together audio and create your own soundboard WITH that person's
> voice - perhaps bypassing voice recognition. Sky's the limit when you
> have a focus on what it is you want to do. So ask yourself that first...
> What is it you want to do... Capture data, manipulate data, etc.
>
> I know quite a few revisions of firmware on certain phone vendors that I
> can re-write POSTS and reset phones, passwords, change names, insert a
> call forward argument. It all boils down to what is it you're trying to
> accomplish. In the case of an assessment, the approach for me would be
> to start at the ground up. Test the security of the phone application
> itself (HTTP scanner), test if any ports are open and why - which means
> you'd have to have literature from the manufacturer, test the
> tamperability of the connection (can you sniff the wire, any vlans (VLAN
> hopping), can you perform posts/injections, etc). Follow the same steps
> you would for any client server.
>
> --
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Abhishek Kumar wrote:
>> Dear list,
>>
>> Can I have some resource materials for VoIP security and its Assessment ??
>>
>> regards
>> abhi
>>
>
> What do you mean by VoIP security? SIPS/SRTP?
>
> VoIP has so very many security issues as to be almost laughable. There are so
> many VoIP issues that I would not know where to begin -- ranging any where from
> MiTM (ARP spoofing, capture and replay, etc.) and authentication and
> authorization, to RTP injection and ... I could go on forever, almost.
>
> Bottom line: VoIP, as implemented today, is a clear-text protocol (unless you
> are tunneling SIP and RTP through IPSec). It has all the equivalent security
> issues of any clear text protocol, such as FTP (actually, TFTP may be a better
> comparison).
>
> If you should be one of the rare organizations using SIPS/SRTP, there are still
> a ton of security issues (for example, SRTP setup in the clear). There are also
> incredible interop issues if you are using SIPS/SRTP.
>
> I just finished a 9 month VoIP project. I can assure you that VoIP security is a
> major nightmare. It is *not* a pretty picture! For a decent introduction to the
> low hanging fruit of VoIP security, I recommend:
> http://www.amazon.com/Hacking-VoIP-Protocols-Attacks-Countermeasures/dp/1593271638/ref=sr_1_5?ie=UTF8&s=books&qid=1255539821&sr=1-5
>
> I Hope this helps!
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler@...
> e: Jon.R.Kibler@...
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrWBNcACgkQUVxQRc85QlNbXwCgljTbySwlVM88scy4QOsPma3f
> UnkAn2UKVoPG1/Gv28KZKihA+E5IoCxN
> =GSEI
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>

> Dear list,
>
> Can I have some resource materials for VoIP security and its Assessment ??
>
> regards
> abhi
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>

> As the other guys mentioned, it is really a huge topic. You may want
> to start looking at the two main protocol SIP and H.323. A quick
> search on securityfous will give you quite a big list of SIP and H.323
> testing articles. A quick list of tools i can think of
>
> SIP Proxy - http://sourceforge.net/projects/sipproxy/
> SFTF - http://www.sipforum.com/index.php?Itemid=&option=com_search&searchword=framework
> SIP Bomber - http://freshmeat.net/projects/sipbomber/
> Another list of tools from VOIPSA - http://www.voipsa.org/Resources/tools.php
>
> regards,
> Rick
>
>
>
> On Wed, Oct 14, 2009 at 11:26 PM, Abhishek Kumar
> <abhishek.luck@...> wrote:
>> Dear list,
>>
>> Can I have some resource materials for VoIP security and its Assessment ??
>>
>> regards
>> abhi
>>
>> ------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>> ------------------------------------------------------------------------
>>
>>
>
>
>
> --
> Information (In)Security @ Where It Matters - http://blog.rickzhong.com
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>

> take a look at these tools for VOIP & Telephony Analysis:
>
>  PcapSipDump
>  PcapToSip_RTP
>  SIPSak
>  SIPcrack
>  SIPdump
>  SIPp
>  Smap
>